News Insights: A leaky database of SMS text messages exposed password resets and two-factor codes

NEWS INSIGHTS:

Michael Magrath, Director, Global Regulations & Standards, OneSpan, Inc.

“This egregious security lapse is significant.  The fact that one-time password (OTPs) codes were sent via SMS in clear text reinforces NIST’s decision to classify SMS-OTP as a restricted form of authentication in its 2017 revision of Special Publication 800-63-3 “Digital Identity Guidelines” Like passwords SMS OTPs are vulnerable to attacks and can be intercepted and reused.

“The fact that messages were sent in clear text with the ability to link one’s mobile phone number to a service provider opens the door to serious privacy infringements.  The only good news to come out of this for California-based, Voxox is that these security infractions occurred before the California Consumer Privacy Act of 2018 goes into effect in January 2020.  The Act defines “personal information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”    The article cites that a password was sent in plaintext to a Los Angeles phone number by dating app Badoo, which would be in direct violation of the Act.    Let’s hope the Badoo subscriber is not married.  If so, they may be no longer.

“For convenience, many people reuse the same password across multiple websites.  Intercepted passwords sent in plain text could open a user to account takeover at their bank, brokerage, and favorite e-commerce sites.   Even more reasons why websites should accept strong authentication for users to access and make transactions.  Technologies like Intelligent Adaptive Authentication — which analyzes and score hundreds of user, device, and transaction data in real-time to determine the precise authentication requirements for each transaction — are beneficial to organizations of all sizes while offering robust, risk-based security without compromising end-user convenience.  With so many frictionless options commercially available, it is more of a question or “why not” rather than “when.”

Bimal Gandhi, Chief Executive Officer, Uniken: 

“Using SMS for authentication opens up several threat vectors for firms to worry about including device swap, SIM swamp and number porting. Companies using SMS should be put on high alert, as that data can be combined with commonly available personal information on the dark web and used in large scale attacks. While SMS is commonplace and easy to set up, companies need to make the right choice when choosing between doing what’s easy and doing what’s most secure for their customers and their firm.”